Assertion failure: mStart <= mEnd (Invalid Interval), at /builds/worker/workspace/obj-build/dist/include/Intervals.h:49
Categories
(Core :: Audio/Video: Playback, defect, P3)
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
43 bytes,
video/mp4
|
Details |
Found while fuzzing m-c 20211010-89883f516fc9 (--enable-debug --enable-fuzzing)
Assertion failure: mStart <= mEnd (Invalid Interval), at /builds/worker/workspace/obj-build/dist/include/Intervals.h:49
#0 0x7f61ab1047b6 in mozilla::media::Interval<long>::Interval<unsigned long&, long&>(unsigned long&, long&) /builds/worker/workspace/obj-build/dist/include/Intervals.h:49:5
#1 0x7f61ab103d74 in mozilla::Box::Box(mozilla::BoxContext*, unsigned long, mozilla::Box const*) src/dom/media/mp4/Box.cpp:109:18
#2 0x7f61ab1048b9 in mozilla::Box::Next() const src/dom/media/mp4/Box.cpp:124:10
#3 0x7f61ab12f6f0 in mozilla::MoofParser::ScanForMetadata(mozilla::media::Interval<long>&) src/dom/media/mp4/MoofParser.cpp:194:65
#4 0x7f61ab12aea4 in mozilla::MoofParser::Metadata() src/dom/media/mp4/MoofParser.cpp:209:3
#5 0x7f61ab11f59e in mozilla::MP4Metadata::Metadata(mozilla::ByteStream*) src/dom/media/mp4/MP4Metadata.cpp:469:53
#6 0x7f61ab11bd3a in mozilla::MP4Demuxer::Init() src/dom/media/mp4/MP4Demuxer.cpp:92:47
#7 0x7f61aa361b53 in mozilla::BenchmarkPlayback::DemuxSamples() src/dom/media/Benchmark.cpp:192:13
#8 0x7f61aa3b7abb in operator() src/dom/media/Benchmark.cpp:146:59
#9 0x7f61aa3b7abb in mozilla::detail::RunnableFunction<mozilla::Benchmark::Run()::$_14::operator()() const::'lambda'()>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#10 0x7f61a44c054d in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:208:20
#11 0x7f61a44e98df in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:305:14
#12 0x7f61a44db69b in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1145:16
#13 0x7f61a44e61cc in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:467:10
#14 0x7f61a5961b45 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
#15 0x7f61a57ec001 in RunInternal src/ipc/chromium/src/base/message_loop.cc:331:10
#16 0x7f61a57ec001 in RunHandler src/ipc/chromium/src/base/message_loop.cc:324:3
#17 0x7f61a57ec001 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:306:3
#18 0x7f61a44d4238 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:390:10
#19 0x7f61c2fa2cce in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#20 0x7f61c68ca608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
#21 0x7f61c6492292 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
||
Comment 1•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211118034937-f172e803d80c.
The bug appears to have been introduced in the following build range:
Start: 1005c275ed0f63d7ff2b003cff9c0e67b412a950 (20210428215523)
End: cd81489560e48d19e43f8438c0c939fb58023648 (20210501093251)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1005c275ed0f63d7ff2b003cff9c0e67b412a950&tochange=cd81489560e48d19e43f8438c0c939fb58023648
Looks like we're creating an invalid interval while parsing a fuzzy mp4. Let me see if I can get a fix for this.
No luck reproing this with a local debug build on Win. Any suggestions to repro are appreciated. Unassigning, will grab it back if I can repro.
Looking again, that stack is surprising -- I don't understand how the file is reaching the benchmark machinery. Would it be possible to get more specific steps to repro in case I'm over looking a required step.
|
Reporter | |
Comment 5•3 years ago
|
||
It's reliable with Grizzly Replay and a debug build.
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.mp4
I've tried to get a Pernosco session but it does not seem to reproduce with a no-opt debug build.
|
|
Reporter | |
Comment 6•2 years ago
|
||
The fuzzers are still reporting this issue. Both debug and opt builds.
Since this does not reproduce with -O0 builds I have created a Pernosco session using -O1. https://pernos.co/debug/hguK-eODKj1xSL6BFB28Sg/index.html
|
|
Reporter | |
Comment 7•2 years ago
•
|
||
Testing with UBSan signed-integer-overflow check enabled reports:
src/dom/media/mp4/Box.cpp:100:47: runtime error: signed integer overflow: 40 + 9223372036854775807 cannot be represented in type 'long'
#0 0x7f568a1c610d in mozilla::Box::Box(mozilla::BoxContext*, unsigned long, mozilla::Box const*) src/dom/media/mp4/Box.cpp:100:47
#1 0x7f568a201b76 in mozilla::Box::Next() const src/dom/media/mp4/Box.cpp:124:10
#2 0x7f568a201b76 in mozilla::MoofParser::ScanForMetadata(mozilla::media::Interval<long>&) src/dom/media/mp4/MoofParser.cpp:194:65
#3 0x7f568a1fc739 in mozilla::MoofParser::Metadata() src/dom/media/mp4/MoofParser.cpp:209:3
#4 0x7f568a1ed308 in mozilla::MP4Metadata::Metadata(mozilla::ByteStream*) src/dom/media/mp4/MP4Metadata.cpp:469:53
#5 0x7f568a1e8cde in mozilla::MP4Demuxer::Init() src/dom/media/mp4/MP4Demuxer.cpp:92:47
#6 0x7f5688ca2395 in mozilla::BenchmarkPlayback::DemuxSamples() src/dom/media/Benchmark.cpp:192:13
#7 0x7f5688d2000a in mozilla::Benchmark::Run()::$_14::operator()() const::'lambda'()::operator()() const src/dom/media/Benchmark.cpp:145:59
#8 0x7f5688d2000a in mozilla::detail::RunnableFunction<mozilla::Benchmark::Run()::$_14::operator()() const::'lambda'()>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:546:5
#9 0x7f5680dde607 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:259:20
#10 0x7f5680e1422c in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:309:14
#11 0x7f5680e028f5 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1198:16
#12 0x7f5680e0f3a2 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10
#13 0x7f5682a18c7f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:300:20
#14 0x7f56828372de in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:381:10
#15 0x7f56828372de in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:374:3
#16 0x7f56828372de in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:356:3
#17 0x7f5680df8262 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:383:10
#18 0x7f56a85e7697 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#19 0x7f56a92b4608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#20 0x7f56a8e5f132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
|
||
Comment 8•2 years ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 9•2 years ago
|
||
A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.
|
|
Reporter | |
Updated•1 years ago
|
|
|
||
Comment 10•8 months ago
|
||
Testcase crashes using the initial build (mozilla-central 20230624091338-d9d61c7bc752) but not with tip (mozilla-central 20240621215457-4f32b6952628.)
The bug appears to have been fixed in the following build range:
Start: 0a60b9ddceafb104aac4daf1c908196f6335ccd8 (20240515212602)
End: 4cf620b67822db457052e7baef70556c509161dc (20240515213346)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0a60b9ddceafb104aac4daf1c908196f6335ccd8&tochange=4cf620b67822db457052e7baef70556c509161dc
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Reporter | |
Comment 11•8 months ago
|
||
I can reproduce with m-c 20240625-653f0dc8442d.
Description
•